VIVID: A Novel Approach to Remediation Prioritization in Static Application Security Testing (SAST)

TL;DR

VIVID introduces a graph-based analysis method for SAST data, enabling better prioritization of security fixes by identifying critical files and vulnerability flow patterns in application code.

Contribution

The paper presents a novel graph theory-based approach to analyze SAST vulnerability data flows, improving remediation prioritization with automated, evidence-based insights.

Findings

Out-degree and betweenness centrality correlate with high vulnerability traffic files.

PageRank and in-degree identify nodes enabling vulnerability flow.

Cross-clique connectivity highlights files for potential refactoring.

Abstract

Static Application Security Testing (SAST) enables organizations to detect vulnerabilities in code early; however, major SAST platforms do not include visual aids and present little insight on correlations between tainted data chains. We propose VIVID - Vulnerability Information Via Data flow - a novel method to extract and consume SAST insights, which is to graph the application's vulnerability data flows (VDFs) and carry out graph theory analysis on the resulting VDF directed graph. Nine metrics were assessed to evaluate their effectiveness in analyzing the VDF graphs of deliberately insecure web applications. These metrics include 3 centrality metrics, 2 structural metrics, PageRank, in-degree, out-degree, and cross-clique connectivity. We present simulations that find that out-degree, betweenness centrality, in-eigenvector centrality, and cross-clique connectivity were found to be associated with files exhibiting high vulnerability traffic, making them refactoring candidates where input sanitization may have been missed. Meanwhile, out-eigenvector centrality, PageRank, and in-degree were found to be associated with nodes enabling vulnerability flow and sinks, but not necessarily where input validation should be placed. This is a novel method to automatically provide development teams an evidence-based prioritized list of files to embed security controls into, informed by vulnerability propagation patterns in the application architecture.